symbolic approach for side channel resistance analysis of
play

Symbolic Approach for Side-Channel Resistance Analysis of Masked - PowerPoint PPT Presentation

Jun 20, 2023 •21 likes •271 views

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

  1. Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universit´ es, UPMC Univ Paris 06, UMR 7606, LIP6, F-75005, Paris, France September 29th, 2017, Taipei, Taiwan 1 / 24

  2. Introduction / Motivation Symbolic Method Experiments Conclusion Introduction / Motivation 1 Symbolic Method 2 Experiments 3 Conclusion 4 2 / 24

  3. Introduction / Motivation Symbolic Method Experiments Conclusion Side-Channel Attacks Execution EM time emission Power Consumption Statistical analysis Measurements Side channels for key recovery 3 / 24

  4. Introduction / Motivation Symbolic Method Experiments Conclusion The Masking Countermeasure Aim: observation of d intermediate computations cannot reveal the secret x = ⇒ d-th order masking Splits a secret x in d+1 shares using random uniform variables called masks Operation-dependent, i.e boolean masking: x ⊕ m At software level, usually added in the source code (easy to identify secret variables) Problems Need to ensure that a masked program is leakage free in practice Compilation flow and optimizations (reordering, removal...) may affect masking effectiveness 4 / 24

  5. Introduction / Motivation Symbolic Method Experiments Conclusion Masked Programs Security: Existing Formal Verifications [Bayrak,CHES13] SAT verification of sensitivity : an operation on a secret must involve a random variable which is not a don’t care variable (i.e it affects the result) � Low level: LLVM programs × Security property not sufficient [Eldib,TACAS14] SMT verification of perfect masking , i.e statistical independency of intermediate computations from secrets � Strong security property × C level & Bit-blasted programs (could be applied to low level) × Lack of scalability (combinatorial blow-up of the enumeration) [Barthe,Eurocrypt15] t-non-interference : joint probability distribution of any t intermediate expressions is independent from secrets � Strong security property � Good scalability × Cannot conclude for some cases 5 / 24

  6. Introduction / Motivation Symbolic Method Experiments Conclusion Our Goal To verify side channel resistance: Of 1st order masked programs At assembly level In the value-based model: instruction result leaks Considering that: leakage-free instruction ⇐ ⇒ result is statistically independent from secrets With a symbolic approach that infers the distribution type of instruction expressions 6 / 24

  7. Introduction / Motivation Symbolic Method Experiments Conclusion Plan Introduction / Motivation 1 Symbolic Method 2 Experiments 3 Conclusion 4 7 / 24

  8. Introduction / Motivation Symbolic Method Experiments Conclusion Verification Scheme # r0 ← k ; r1 ← m1; r2 ← m2; r3 ← m3 1 eor r4 , r0 , r1 # k ⊕ m1 2 eor r5 , r0 , r2 # k ⊕ m2 3 and r5 , r5 , r3 # ( k ⊕ m2) & m3 4 and r5 , r5 , r4 # ( k ⊕ m1) & ( ( k ⊕ m2) & m3) & Is the root distribution statistically independent from k? & ◮ Inputs tagged with a ⊕ ⊕ m3 distribution type mask ◮ Bottom-up combination of k m1 m2 distribution types using defined mask mask secret inference rules Data dependency graph of the last instruction 8 / 24

  9. Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach 4 distribution types for variables and expressions: Random Uniform Distribution ( RUD ) Unknown Distribution ( UKD ) Constant ( CST ) (Statistically) Independent from Secrets Distribution ( ISD ): not necessarily uniform but identical for all values of the secrets. k m 1 m 2 e e’   0 0 0 0   P(e=0)= 3 P(e’=0)= 1   0 1 0 0   k : secret 0 4 2 P(e=1)= 1 P(e’=1)= 1 1 0 0 1 m 1 , m 2 : masks 4 2   1 1 1  1    e = (k ⊕ m 1 ) & m 2 0 0 0  0  e’= (k ⊕ m 1 ) & m 1  P(e=0)= 3    0 1 1 0 P(e’=0)=1   4 1 1 0 0 P(e=1)= 1 0 P(e’=1)=0 4     1 1 0 0   9 / 24

  10. Introduction / Motivation Symbolic Method Experiments Conclusion Independence Notions Which distribution types assert that an expression is statistically independent from secrets? Dependence between expression e and variable v : structural = ⇒ v appears in e statistical = ⇒ the distribution of the result of e depends on v = ⇒ Need to keep track of structural dependencies: (k ⊕ m) & m Safe types: Unsafe type: e ∼ RUD e ∼ UKD { dep } with structural e ∼ ISD dependency on some secret e ∼ UKD with no structural variable: dep ∩ S � = ∅ dependency on any secret 10 / 24

  11. Introduction / Motivation Symbolic Method Experiments Conclusion Dominant Masks Aim: to find a mask that randomizes the whole expression Dom Rule expression e = e’ ⊕ m or e = e’ + m mod 2 n m ∼ RUD { m } m �∈ dep( e’ ) = ⇒ e ∼ RUD and m is a dominant mask of e . 2 sets of dominant masks: dom ⊕ (e) the set of xor dominant masks of e dom + (e) the set of additive dominant masks of e Examples: dom ⊕ ((k + m1) ⊕ (k ⊕ m1 ⊕ m2)) = m2 dom + ((k + m1) ⊕ 0) = dom + (k + m1) = m1 11 / 24

  12. Introduction / Motivation Symbolic Method Experiments Conclusion Other Inference Rules By distribution types: Set of rules for ⊕ , + mod 2 n Set of rules for AND and OR Disjoint rule for binary operators u ∼ ISD { dep0 } and v ∼ ISD { dep1 } No masks in common: dep0 ∩ dep1 ∩ M = ∅ = ⇒ (u op v) ∼ ISD { dep0 ∪ dep1 } for every binary operation op ⊲ More details in the paper 12 / 24

  13. Introduction / Motivation Symbolic Method Experiments Conclusion Running Example Type inference for the last instruction i4 : (k ⊕ m 1 ) & ((k ⊕ m 2 ) & m 3 ) ISD {k, m1, m2, m3} & ISD {k, m2, m3} RUD & RUD {k, m1} {k, m2} ⊕ ⊕ m3 RUD{m3} m1 k m2 RUD{m1} RUD{m2} UKD{k} ⊲ i4 is statistically independent from k 13 / 24

  14. Introduction / Motivation Symbolic Method Experiments Conclusion Bit Level Analysis When no conclusion is possible at word level: e ... = ⇒ split the expression into several expressions at e n e 2 e 1 e 0 bit level ⊲ case 1: ⊲ case 2: ⊲ case 3: ... e i-1 ... ... ... ... e n ... e 2 e 1 e 0 e n e i+1 e i e 0 e n e i e i e 0 m n m 2 m 1 m 0 CST ISD CST ISD CST CST ISD CST e i ∼ RUD and different Deduplicated ISD bit and Concatenation of an ISD dominant mask for each e i concatenation with CST bits bit with CST bits Example from mix columns in AES: e = ((LSR(mt1 ⊕ mp ⊕ sbox5, 7) ⊕ LSR(mt2 ⊕ mp ⊕ sbox10, 7)) + (((LSR(mt1 ⊕ mp ⊕ sbox5, 7) ⊕ LSR(mt2 ⊕ mp ⊕ sbox10, 7)) ≪ 1) b 7 = mt1 7 ⊕ mp 7 ⊕ sbox5 7 ⊕ mt2 7 ⊕ mp 7 ⊕ sbox10 7 e = ⇒ 0000 00b 7 b 7 = ⇒ ISD 14 / 24

  15. Introduction / Motivation Symbolic Method Experiments Conclusion Plan Introduction / Motivation 1 Symbolic Method 2 Experiments 3 Conclusion 4 15 / 24

  16. Introduction / Motivation Symbolic Method Experiments Conclusion Comparison with Two Methods Our method: distribution type inference implemented in Python C-enumerative : generates a C program that computes the expression distribution by enumerating on all variable values ◮ returns: RUD, ISD or vulnerable SMT-enumerative : extends Eldib et al. ’s approach for n -bit variables ( generates a SMT problem that searches for two values of a secret for which the expression distribution is different ) ◮ returns: ISD or vulnerable 16 / 24

  17. Introduction / Motivation Symbolic Method Experiments Conclusion Benchmarks #ASM Size Secure in Program # masks # secrets inst in bits literature Boolean programs for comparison with SMT P6 [Eldib,TACAS14] 8 1 3 3 × Masked Chi 8 1 2 3 � [Eldib,TACAS14] Algorithms for switching between boolean and arithmetic maskings Goubin Conversion 8 4 2 1 � [Goubin01] Coron Conversion 37 4 3 1 � [Coron15] Cryptographic algorithms Masked AES 1st round 422 8 6 16 + 16 � [Herbst06] Simon TI 1st round 15 32 5 3 + 2 � [Shahverdi17] 17 / 24

  18. Introduction / Motivation Symbolic Method Experiments Conclusion Experimental Comparison Ref (enumeration) Symbolic Program # RUD # ISD # Vuln # RUD # ISD # UKD # CST P6 6 2 0 6 2 0 0 Masked Chi 2 2 4 2 2 4 0 Goubin 7 1 0 5 0 3 0 Conversion Coron 19 11 7 14 10 13 0 Conversion Masked AES - - - 302 0 0 120 1st round Simon TI - - - 7 4 3 1 1st round Enumeration methods = ⇒ sound, complete but not applicable on AES/Simon Symbolic method = ⇒ sound { Vuln } ⊆ { UKD } but not complete 18 / 24

  19. Introduction / Motivation Symbolic Method Experiments Conclusion Verification Time Symbolic Enum C SMT Program time time time P6 < 1s < 1s < 1s Masked Chi < 1s < 1s < 1s Goubin < 1s < 1s 35mn Conversion Coron 2s 1s 5,6h Conversion Masked AES 22s - - 1st round Simon TI 8.5s - - 1st round C-enumeration = ⇒ fast but only for small programs SMT-enumeration = ⇒ can be long even for small programs Symbolic method = ⇒ better scalability 19 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik

Side Channel Analysis Using a Model Counting Constraint Solver and Symbolic Execution Tevfik Bultan Computer Science Department University of California, Santa Barbara (UCSB) Joint work with: Abdulbaki Aydin, Lucas Bang, UCSB Corina

1.1k views • 91 slides
CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert

CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation Robert Brotzman, Shen Liu, Danfeng Zhang, Gang Tan, Mahmut Kandemir Pennsylvania State University Cache Side Channels Process Data CPU Cache Program Side

390 views • 20 slides
A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt

FIRST TALK A Stochastic Approach in Side-Channel Analysis in the Presence of Masking W. Schindler Bundesamt f r Sicherheit in der Informationstechnik (BSI), Bonn, Germany Barcelona, May 22, 2007 Power attacks on a block cipher

1.13k views • 13 slides
Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high security solutions Rohde &amp; Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schtze Workshop on Applied Cryptography Lightweight

595 views • 15 slides
(ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&amp;NASA Ames) Project team members

(ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&amp;NASA Ames) Project team members

Integrated Symbolic Execution for Space-Time Analysis of Code (ISSTAC) Side Channel Analysis Corina Pasareanu (CMU&amp;NASA Ames) Project team members Corina Pasareanu Teme Kahsai Kasper Luckow Quoc-Sang

458 views • 23 slides
Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with

Recent advances in side- channel analysis using machine learning techniques Annelie Heuser with Stjepan Picek, Sylvain Guilley, Alan Jovic, Shivam Bhasin, Tania Richmond, Karlo Knezevic In this talk Short recap on side-channel analysis

4.52k views • 56 slides
Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

633 views • 47 slides
Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis? Breaking multiple layers of side-channel countermeasures Anh-Tuan Hoang, Neil Hanley and Mire ONeill CHES 2020 14-18 September 2020 Outline

620 views • 21 slides
Test Apparatus for Side-Channel Resistance Compliance Testing Michael Hutter, Mario Kirschbaum,

Test Apparatus for Side-Channel Resistance Compliance Testing Michael Hutter, Mario Kirschbaum,

Institute for Applied Information Processing and Communications (IAIK) Test Apparatus for Side-Channel Resistance Compliance Testing Michael Hutter, Mario Kirschbaum, Thomas Plos, Jrn-Marc Schmidt NIAT Workshop 2011 Institute for Applied

362 views • 17 slides
A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1

A Comprehensive Study of Deep Learning for Side-Channel Analysis A Comprehensive Study of Deep Learning for Side-Channel Analysis c Masure 1,3 ecile Dumas 1 Emmanuel Prouff 2, 3 Lo C 1 Univ. Grenoble Alpes, CEA, LETI, DSYS, CESTI, F-38000

1.39k views • 86 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel

HOST SCA Countermeasures II ECE 525 Introduction We propose a technique called Side-channel Power Resistance for Encryption Algo- rithms using Dynamic Partial Reconfiguration or SPREAD As a countermeasure to DPA, CPA and other types of

689 views • 10 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, &quot;Power Analysis Attacks, Revealing the Secrets of Smart Cards&quot;, Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium

Introduction to Side-Channel Analysis Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Link with linear cryptanalysis Standard Differential Power Analysis Noise-based security (is

1.17k views • 92 slides
Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to

Introduction to (profiled) side-channel analysis Annelie Heuser In this talk back to the basics!! details on power / EM leakage (low/high noise scenario) how/where to attack AES? di ff erent attacker models overview of

1.28k views • 74 slides
Validating a semiadaptive Korean placement test AATK 2014, Boston University June 21, 2014

Validating a semiadaptive Korean placement test AATK 2014, Boston University June 21, 2014

Validating a semiadaptive Korean placement test AATK 2014, Boston University June 21, 2014 Sun-Young Shin &amp; Hyo Sang Lee Indiana University Overview Background - Context for the study - Placement testing; Computerized

593 views • 23 slides
Vertical Restraints Valrie Meunier Conseil de la Concurrence November 7, 2008 Pros and Cons

Vertical Restraints Valrie Meunier Conseil de la Concurrence November 7, 2008 Pros and Cons

The Antitrust Treatment of Vertical Restraints Valrie Meunier Conseil de la Concurrence November 7, 2008 Pros and Cons 2008, Stockholm 1 Bayesian Decision Theory Prior belief based on empirical literature Bayesian updating based on

147 views • 10 slides
ONLINE (PHASE 2) Kijoo Ko Korean Language Program, UC Berkeley Korean Placement Test To

ONLINE (PHASE 2) Kijoo Ko Korean Language Program, UC Berkeley Korean Placement Test To

ONLINE (PHASE 2) Kijoo Ko Korean Language Program, UC Berkeley Korean Placement Test To assign students to the right level in the Korean language program (Brown, 1996; Rapi &amp; Miconi, 2014) Computer Adaptive Language Test (CALT)

541 views • 37 slides
Personalized Machine Translation: Preserving Original Author Traits Ella Rabinovich 1,2 , Shachar

Personalized Machine Translation: Preserving Original Author Traits Ella Rabinovich 1,2 , Shachar

Personalized Machine Translation: Preserving Original Author Traits Ella Rabinovich 1,2 , Shachar Mirkin 1 , Raj Nath Patel 3 , Lucia Specia 4 , Shuly Wintner 2 1 IBM Research Haifa, Israel 2 Department of Computer Science, University of Haifa,

280 views • 24 slides
Structural organization of casein mic icelle les concentrated la layer durin ing cross-flow

Structural organization of casein mic icelle les concentrated la layer durin ing cross-flow

Structural organization of casein mic icelle les concentrated la layer durin ing cross-flow ult ltrafil iltration Floriane Doudis M. Loginov, N. Hengl, F. Pignon, N. Leconte, F. Garnier-Lambrouin, J. Prez, L. Sharpnack, M.

601 views • 21 slides
prepared by Justyna Iwaczuk University of Natural Sciences Humanities in Siedlce Supervisor

prepared by Justyna Iwaczuk University of Natural Sciences Humanities in Siedlce Supervisor

prepared by Justyna Iwaczuk University of Natural Sciences Humanities in Siedlce Supervisor of the project: Aldona Rajewska, PhD Surfactants (Surface active agent) are compounds that are amphiphilic, meaning they contain both hydrophobic

568 views • 20 slides
Dynamics of polyelectrolytes and living polymers in shear flow P. B. Sunil Kumar Department of

Dynamics of polyelectrolytes and living polymers in shear flow P. B. Sunil Kumar Department of

Dynamics of polyelectrolytes and living polymers in shear flow P. B. Sunil Kumar Department of Physics, IIT Madras. 1 Tuesday 10 August 2010 Hydrophilic Hydrophobic (a) Spherical Micelle, (b) Cylindrical Micelle, (c) Reverse Micelle, (d)

300 views • 25 slides
Phase Behavior and Interfacial Tension of Pre-Equilibrated Mixtures of Aqueous Solutions of a

Phase Behavior and Interfacial Tension of Pre-Equilibrated Mixtures of Aqueous Solutions of a

Phase Behavior and Interfacial Tension of Pre-Equilibrated Mixtures of Aqueous Solutions of a Commercial Surfactant and Crude Oil Crude Oil Aq. Surf. Solution Aq. Surfactant Solution Jaeyub Chung Bryan W. Boudouris , and Elias I.

529 views • 17 slides

More recommend